[PATCH v2 5/5] wifi: rsi: fix infinite loop when firmware sends zero-length packet

Next message: Tristan Madani: "[PATCH v2 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler"
Previous message: Tristan Madani: "[PATCH v2 4/5] wifi: rsi: fix OOB read from firmware pad_bytes in management RX path"
In reply to: Tristan Madani: "[PATCH v2 4/5] wifi: rsi: fix OOB read from firmware pad_bytes in management RX path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:25:28 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

rsi_read_pkt() reads actual_length from the frame descriptor as a u16.
When the firmware returns actual_length == 0, the loop's index and
rcv_pkt_len counters never change, creating an infinite kernel loop.

Check for zero actual_length immediately after reading it from the
descriptor and bail out if invalid.

Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/rsi/rsi_91x_main.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -168,6 +168,9 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len)
do {
frame_desc = &rx_pkt[index];
actual_length = *(u16 *)&frame_desc[0];
+ if (!actual_length)
+ goto fail;
+
offset = *(u16 *)&frame_desc[2];
if (!rcv_pkt_len && offset >
RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ)
--
2.43.0